Modern technical systems belong to the class of complex systems, which have the following properties [ 1,2 ]:  presence of large number of elements which interact according to the given fuctional algorithm, that causes the great dimention of reliability mathematical model (from tens to hundreds of thousands of differential equations);  elements of the system can be characterized by several types of failures (such as breakage and short circuit);  in the case of multifunctional systems the situations when not all functions are fully performed or are performed simultaneously or are performed with the deterioration of relevant characteristics can happen. Therefore the definition of "system failure" is complicated;  the failure of complex system for critical application can affect the human casualties or material damage, so these systems must be fault-tolerant (the ability to function normally in conditions of failures of individual elements) and safety (resistance to accidents). These properties are achieved by introduction of various kinds of redundancy (structural, algorithmic, time, etc.), that leads to complexity of structure and internal behavior algorithm of the system as a result of the introduction of control functions, fault isolation and function recovery.

Thus, the designers of complex technical systems for critical application (CTSCA) must provide the high level of reliability and safety of the project, and thus they meet a number of contradictions, namely: contradiction between the complexity of the system and its reliability (more complex system has lower reliability), the contradiction between reliability and safety (to increase the level of safety it is necessary to induce additional subsystem of security, locking, emergency stop, etc., that reduces reliability). Increasing of reliability through the use of fault-tolerant configuration does not increase the level of safety. At the same time the applying of appropriate maintenance strategy increases both reliability and safety. At the design stage, these contradictions are solved by multivariate mathematical modeling of CTSCA, comparative analysis of alternatives and selection of the best one. Note that the system reliability analysis involves the study of the process of transition from state to state in the state space as a result of failure or restoration of certain elements of the system. In the general approach for forming reliability models these models are formalized and describe the interaction of elements of the system while its performing from the reliability position. These models reflect the degree of each element influence on the reliability in the whole. The study of safety includes, in addition, the analysis of the transition of system failures due to accident and determines the characteristics of this process.

Due to complexity of modern technical systems the multivariate analysis without automation of model building and estimation of reliability and safety indexes on its basis are not available in many cases. So often, especially for safety estimation, it is replaced by building one variant of the model followed by the combination of obtained results with expert evaluation of safety and recommendations to bring them up to acceptable values.

Nowadays reliability behavior modeling of CTSCA and its safety modeling are carried out independently of each other, using different types of models, which in the case of reliability take into account some properties of the system, but in the case of safety – completely different, although in reality these properties are interrelated and can’t be separated.

This approach is explained by the reliability models complexity as well as safety models and respectively by huge time costs for their building and by significant computational costs for their analysis with taking into account only the important nuances of CTSCA behavior. The dimension of reliability models of modern systems can reach hundreds and thousands equations. The safety model is, unlike the reliability model, complex logical function that contains hundreds and thousands arguments. Experience shows that the "manual" building of reliability models of fault-tolerant systems even with small number of elements (10) without software usage requires timeconsuming procedure of dozen hours. If you change the parameters of the state graph you need to rebuild the new one and the probability of making errors in the model is very high when the chances of detection them is very low, also the time of restructuring the state graph is comparable with the time of construction its first version. Manual building of safety models as fault tree and the risk indexes estimation on its basis (minimal cut set) is comparable to the complexity of the building the reliability models as graph of states and transitions.

From the above it arises the urgent task of further improvement and development of automated methods for modeling reliability behavior of CTSCA which are focused on reliability and safety indexes estimation. 2

The Current State of Modeling the Reliability and Safety of Complex Technical Systems Critical Application and

Directions for Its Improvement

For reliability estimation of CTSCA nowadays there are enough formal and in some cases software implemented approaches, but for safety estimation there are only partially formalized methodologies which involve manual building of logical and probabilistic models in GUI. These models provide the automated determination of selected safety indexes - risk indexes (minimal cut sets).

Well-known software suites such as RAM Commander (ALD, Israel) [ 3 ], PTC Windchill QualitySolutions (PTC, USA) [ 4 ], ReliaSoft Synthesis Master Suite (ReliaSoft USA) [ 5 ], Item Toolkit (Item Software, USA, UK) [ 6 ], Reliability Workbench (Isograph, US, UK) [ 7 ] allow building reliability models as reliability block diagrams (RBD) with the automated estimation of reliability. Models as graph of states and transitions are built manually with further automation of reliability analysis.

For safety estimation these software suites have graphical tools for forming fault trees in manual mode with the automated determination of minimum cut sets and special tools to carry out FMEA / FMECA analysis. The main advantage of these software suites is that they contain integrated frameworks of elements models (electronic, electromechanical, mechanical, etc.) in accordance with international standards: MIL-HDBK-217, Telcordia SR-332, IEC TR 62380, 217Plus, FIDES, which are required for reliability and safety analysis.

In monograph [ 1 ] the general principles of automation of building reliability models as matrix of states and transitions and matrix with subsequent transition to the graph of states and transitions are given as guidelines and recommendations. Also, this approach does not have tools to analyze safety. In monograph [ 8 ] the fundamental principles of logical and probabilistic models as fault trees for the reliability and safety estimation are provided. Actually, this approach is widely used to analyze safety indexes, namely, risk by the minimal cut sets determination. However, this approach isn't formalized and in the case of CTSCA it requires significant time costs for building the fault tree and computational costs for the analysis of safety indexes. In addition, any changes in the structure of the system require the construction of its new model. Therefore, for multivariate analysis at the design stage this approach is rarely used, it is usually provided for certification, when the structure of CTSCA is established.

Currently the most powerful method for building reliability models of CTSCA is the state space method. It allows us to adequately reflect the functional and reliability behavior of CTSCA. Generated by this method model is represented by yhe system of linear differential equations of Chapman-Kolmogorov which adequately describes all the features of system behavior that allows us to obtain standardized and nonstandardized reliability indexes, which are required by developer at design stage. However, for the analysis of safety and risk, in particular, this mathematical tool is not used in practice, although there are attempts to use it for building dynamic fault trees [ 10 ]. Practical use of state space method [ 11 ] is limited at the design stage, due to cumbersome models, the phase space of which is equal to 103 .. 104 equations, and for multivariate analysis, in most cases, it is replaced by simplified evaluation using standard models.

In work [ 2 ] the method of automated generation of state space for behavior analysis of CTSCA basing on formalized description of the designed object in the form of structural-automatic model is described. It allows us to automate the process of reliability models building and to significantly reduce the time costs of multivariate analysis.

Structural-automatic model (SAM) consists of three sets of data [ 2 ]. The first set is state vector (SV), which describes all the formalized list of states using variables - SV components. The SV components are variables which describe the state of the system elements. State vector may contain additional components which are used to track the status of additional features, such as counter of current number of repairs of each item; counter of all repairs; counter of total number of failed items and so on.

The second set is constants - set of formal parameters which characterize the structure of the system and its properties, namely the number of parts on the system configuration, the number of reserve elements, their failure rate and intensity of renewals, limited number of updates and more.

The third set is tree of modification rules of state vector components (TMRSVC), which is given in tabular form and reflects the consequences which come after the failure or recovery of certain elements under certain conditions. The components of TMRSVC are the events, which can occur with elements (failure or recovery of element, reserve connection etc.), the set of logical conditions that defines combinations of values of state vector components, which take place for this event, and the modification rules of states vector components (MRSV). Each condition corresponds to the formula for calculating the intensity transition (FCIT). The event result is the change of SV component and transition from one state of system to another in accordance with the rules of transition. If certain elements inherent in more than one type of failures (such as breakage and short circuit), the probability of which is known, in such cases, use the set of formulas for calculate the probability of alternative transitions (FCPAT), for each of which the certain rule from MRSV is used.

Time-costs for build the SAM by experienced developer are 1-30 hours, depending on the complexity of the system. These costs justifies itself in multivariate analysis of fault-tolerant systems, because the next correction of the model, even with significant changes in the structure of the system takes time from tens of minutes to several hours.

This approach is implemented in ASNA software[ 2, 11 ]. Input data about the researched object for software module ASNA should be submitted in the form of SAM, which is formalized description of the structure and reliability behavior of system (the rules of transition from one state to another during the failure and recovery of elements). Basing on SAM software module ASNA generates the list of all possible states of the system, the table of transitions from one state to another, which is transformed into the matrix of intensities of transitions when entering numerical values of intensities of failures and recovery of the system. Therefore, basing on the matrix of intensities ASNA module automatically forms the system of differential Chapman-Kolmogorov equations and solves it by Runge-Kutta-Merson method. As a result the user gets the time dependences of probabilities of system being in each of the possible states. Basing on this information, the user can define standardized reliability indexes of system (availability function, probability of failure, failure flow parameter, MTTF, etc.), and arbitrary parameters that may be needed for the "thin" study of the system (probability of downtime, probability of having at least N employable elements when using a certain number of renewals, etc.).

This approach focuses on estimation reliability indexes for reliability design and efficiency indexes for functional design. To use this approach to the safety indexes estimation the improvement both the graph states and transitions (to display emergency situations) and description of the state vector and principles of SAM building is needed. In particular, in work [ 12 ] it is proposed to combine the approach outlined in the monograph [ 1 ] with reliability block diagram GUI, allowing us to integrate into SAM designed method of RBD visualization and determine system operation conditions. Developed interface allows entering data not only for method of RBD visualization, but also for reliability model of the whole system. However, this approach has several limitations considering maintenance strategies and tools for monitoring and diagnostics. In addition, this approach focuses exclusively on building reliability models.

Thus, among the known approaches there were not found ones which allow determining the reliability and safety indexes for the same behavior model of CTSCA with taking into account all behavior features of the system while disability, accidents, downtime, etc. Hence the task of updating SAM and state space method for their adaptation to the problems of multivariate analysis and safety indexes estimation. 3

Improvement of the State Space Method and Its Formalization for Safety Models Building

The state space method combining with formalized description of the systems in the form of SAM is the powerful tool for the study of both functional and reliability indexes of CTSCA STSVP that allows us to perform multivariate analysis with minimal timecost. Significant advantages of the state space method is that it provides the set of all states of CTSCA and determine the probability rates getting in or staying in any of them. This property is particularly relevant when the operation of the system allows the states of reduced functionality or partial disability. In addition, you can see the quantity of reliability increase when entering certain types of redundancy and their cost. These properties make it possible not only to investigate the reliability of CTSCA when carrying in redundancy or changing its behavior algorithm, but also to analyze the impact of these actions on safety, which we understand as the risk of emergency in case of failure of each element of system.

This index according to [ 13, 14 ] is called minimal cut set. Minimal cut set (MCS) – is a minimal combination of events which lead to catastrophic system failure. If when any of event is removed from the MCS the remaining events collectively cannot cause to catastrophic system failure [ 13 ].

Thus, when designing CTSCA we must have a single model that is based on the state space method and provides:  adequate reflection of system behavior while disability;  consideration of strategies for maintenance and repair;  consideration of controls and diagnostics;  possibility of obtaining reliability indexes (probability of faultless work , availability, MTTF, MTBF);  possibility of obtaining safety indexes (MCS);  consideration of system downtime;  the opportunity to obtain indexes of economic efficiency;  to carry out the multivariate analysis.

To achieve this goal it is necessary to make a number of modifications of the state space method, as described below. The behavior of CTSCA is described by graph of states and transitions. Vertices of graph are the states in which the system can be. These states are characterized by probabilities. Edges of the graph are the possible transitions from state to state and are characterized by the transition intensities.

In all known methods the catastrophic failure condition is a combination of all inoperable states, which are united in one state. This is used, on the one hand, to obtain the required reliability indexes when only operable states are used, on the other hand, inoperable states significantly increase the phase space, dimensionality of which is great.

Therefore, for safety indexes estimation (MCS), you must split the state of catastrophic failure (CF) in separate states. Thus, the set of inoperable states contains a subset of accidents (AS1, ..., ASi, ...), accordingly to CTSCA (Fig. 1). Each of these accidents can be represented by the corresponding fault tree.

The dimension of the system of differential equations Chapman - Kolmogorov increases proportionally to the expansion of phase space and the system of equations consists of two parts - the equations that describe the operable states (Pi (t)) and the equations that describe inoperable states (Qj (t)).

The solution of the equation system can be implemented by analytical methods (matrix exponential, Laplace transform) and numerical methods (Runge-Kutta, Rosenbrock). As a result of solution the probability distribution of CTSCA being in all states is obtained.

The next step is filtration of obtained probability distribution for the separation of states to operable and inoperable. Filter is in this case the condition of critical failure. As a result of filtration, we obtain a set of probability of CTSCA being in operable states {Pi (t)} and the set of probability of CTSCA being in inoperable states {Qj (t)}, where i is the serial number for operable states and j is the serial number for inoperable states.

Split state of CF АS1 АS2 АS3

From the resulting set of operable states the necessary reliability indexes are formed and from the set of inoperable states the MCS – combination of inoperable states, when the critical failure definitely will occur – are obtained.

As the number of inoperable states is equal to 101..102, for automated MCS obtaining, an algorithm for finding all combinations of inoperable states, which refer to critical system failure, should be developed. This means that this element is one of the most critical parts of the system. In the case of fault-tolerant systems, CTSCA is just that, the combination of several elements is possible. It is considered that as more inoperable states are included in MCS so the less vulnerable system is and so the effects of its failure will not be catastrophic for human life and health and the environment.

If vulnerable elements, which form inoperable states, which are included in MCS, are replaced by more reliable or reserved, the risk of accident is reduced in times. Thus, the MCS are necessary for designer to make reasonable redundancy in a new version of designed CTSCA. So due to the effect of redundancy input we can quantify the rate of risk reduction:

Krr=Cm/Cn, (1) where Cm – MCS before redundancy input;

Cn – MCS after redundancy input;

Generalized diagram of technique of estimation of safety and reliability indexes basing on the graph of states and transitions with the split failure state and using SAM is shown in Fig. 2. According to it, the automated algorithm for obtaining MCS was developed. The input data for the algorithm is the set of inoperable states (MCS), derived from the binary SAM.

The binary SAM is the SAM of the CTSCA, in which all elements of structure are displayed by individual SV components and can take only of two values: zero and one. The binary SAM, which, unlike to original SAM [ 2 ], makes a possibility to describe the structure and behavior of CTS without unification of states of its structure elements. In addition, the binary SAM allows obtaining split failure state, in which states of CTSCA subsystems failures can be discerned with the given level of detail representation.

Procedure of filtering inoperable states from whole phase space is carried out by the analysis of the state vector component, comparing them with the critical failure condition. If the element is operable, the value of its corresponding SV component is greater than zero. If the element failed and led to accident, the component will be equal to zero.

While the algorithm development it is taken into account that:  at least one MCS is presented in the sysytem;  cut set of the system is inoperable state, when system falls into catastrophic failure condition;  MCS of the system is the state, when the system is in catastrophic failure but taking off at least one of the elements that are failed in this MCS, the catastrophic failure of the system can not occur at all.

Definition of MCS is provided in two stages: stage of MCS obtaining and stage of estimation their probability values.

Stage I. For MCS finding the following procedures are used: MCS sorting; MCS determination.

At this step it is necessary to sort obtained array of inoperable states of the system on the feature of the smallest number of events that led to the accident of the system. Further, basing on sorted array of inoperable states the MCS are defined. As a result of the proposed procedures the array of MCS is presents as a matrix.

Stage II. Determination of MCS probability is performed by the following procedures: determination of MCS from all cut sets; sum of MCS probabilities; forming of array of MCS and their probability values.

According to this stage we must create a matrix that consists of four columns – the first column is a serial number of MCS – N; the second column is SV component and its value; in the third column the numbers of states, which are attended by the corresponding MCS, are recorded. So in the fourth column there are recorded obtained probabilities of MCS as a result of this procedure. Also at this stage procedure of comparison of the system states is used.

The procedure for obtaining probability values of MS is the sum of probability values of being in respective states, whose numbers were found in the previous procedure, i.e., in the states that are recorded in the third column corresponding to the MCS matrix. As a result, the fourth column is filled with appropriate MCS probabilities value.

An example of the usage of developed method of MCS definition. Fault-tolerant system consists of five modules A, B, C, D, E. Modules A, B, D are the main operable configuration that provides performance of system functions and modules C and E are reserve modules. Modules A and B are reserved by module C. The entire system is reserved by module E. All modules have the same failure intensity λ = 0,001, and the observation period is T = 100 h.

The RBD of the fault-tolerant system is shown in Fig. 3: А С

SAM of the fault-tolerant system, which consists of set of formal parameters (Fig. 4), SV components and failure condition (Fig. 5), the tree of modification rules of state vector (Fig. 6), which is the input to the software module ASNA, the graph states and transitions was obtained in the automatic mode (Fig. 7). Fig .5. State vector components and failure condition

Basing on the obtained graph of states and transitions the software module ASNA formed mathematical model of the system as a system of Chapmen - Kolmogorov differential equations. After its solving the probability of being in every possible state was obtained. Probability of system being in operable state is 0.9894, and the probability of failure is equal to:

Qf = 1 - 0,9894 = 0,01061 λA

ABC

DE λE λD λB λC λC λB BCDE

λE ACD λC E λD λA λE λA ABD E λB ABCE λA ABC D λE λD λE λC λD λB λA λC λB

CDE λD λC

BDE ADE λE λB λA λD λA ABE λB λE ABD λD DE λD

λE λA

BCD λB ACD λA λD λB

BCE ACE λC λB λA λC λD λE CE

BE AE λC λB λA CD λC λE

E λE

SF

On the basis of the graph of states and transitions according to developed algorithm, it was determined that after simultaneous failure of modules E and D the system fails in general. Next, other two combinations which also lead to failure of the whole system are ACE and BCE. Thus, these three combinations make the MCS. The next stage was the determining of the values of the probability of each of these combinations. Substituting logical expression of MCS DE: ((V4 = 0) AND (V5 = 0)) instead of failure condition the MCS value of probability simultaneous failure of combination of modules E and D was obtained, which is QDE = 0,009. Similarly, substituting logical expression of MCS ACE and BCE instead of failure condition we get: QACE = 0,00084; and QBCE = 0.00084. The calculated MCS is shown in Table. 1. The developed approach (Fig. 2) allows us to get the MCS in automatic mode without fault tree construction.

Expanding the Functionality of the Program ASNA for the

Safety Analysis of CTSCA

For building complex models, which are focused on determination of the reliability and safety indexes it is most advisable to take as a basis the graph of states and transitions with split state of catastrophic failure and method for its automated construction using binary SAM. However, the biggest problem for the designer, in this case, is the construction of the binary SAM because its formation requires from the developer not only the deep knowledge of the nuances of functionality of designed CTSCA but also thorough knowledge about techniques of construction the formalized graph of states and transitions that is the whole direction in complex systems designing.

Therefore, the next urgent task is to automate the construction of binary SAM-based graphical representation of the system as a RBD. This will speed up the development of SAM, reduce the time cost in degree and obtain both reliability and safety indexes. Principles of this automation were laid in works [ 12, 15 ]. At the same time, we note that this approach narrows the class of the analyzed systems because it does not allow us to analyze complex technical systems that are described by queuing systems, flowcharts, etc. behavior algorithm.

According to approach [ 12 ] the visualization software for RBD of technical system, which makes it possible the automatic construction of graphic images of flow diagram of technical systems and the formation of conditions of their functioning and failure, was developed. Using the developed software the information about the system is transmitted as input to the ASNA software for further calculations of reliability indexes accordingly to the number of elements in the node, the number of renewals and maintenance crews, time range, intensity of failures and recoveries for each of elements of analyzed system.

In order to extend the functionality of the ASNA software for safety analysis of CTSCA it is needed to combine binary SAM methodology with the approach [ 12 ]. It is necessary to modify the SAM as follows:  Every element input in the RBD is accompanied by the creation the next set of SV components, the number of elements corresponds to the number of components:

Item1, Item2, … ,Itemi,… → V11, V21, … , Vi1, …     

The initial value of each component is equal to one: Vi1=1; Type of connection of RBD elements (serial, parallel, combined) is given by the inoperable condition If the limited number of renewals of system is planned, for each item is added another SV component – counter of repairs:

→ V12, V22, … , Vi2, …

The initial value of each component is equal to zero: Vi2=0 If the number of renewals is unlimited, the additional component isn’t added; Each RBD element is assigned to line of binary SAM as follows:

Event Condition FCIT FCPAT MRSV Failure of module і Vi1=1 λi 1 Vi1=0 If the system is renewable, in addition to each RBD element, another line is assigned to binary SAM as follows:

Event Condition FCIT FCPAT MRSV Repair of module і (Vi1=0) AND µi 1 Vi1=1 (Vi2<RCi) Vi2= Vi2+1  Parametres of each element (failure rate - λi, the intensity of repair - μi, the number of repairs - RCi etc.) is transmitted to set of formal parametres;  Limited values of each RBD element repair, the number of repair crews, repair priority are transmitted to set of formal parametres;  Inoperable conditions are transmitted to SAM and serves to filter the operablebodied and inoperable states.

Thus all components of SAM can be automatically formed. Generated data can be represented as a file that is sent to ASNA software module as input data. ASNA software module enables automated obtaining of the graph of states and transitions with split failure state. Basing on the graph of states and transitions ASNA software makes it possible to assess reliability. CutSetDefiner software, basing on the graph of states and transitions, can generate MCS and basing on MCS through software [16] we can automatically get the fault tree. 5

Conclusions 1. Split of critical failure state in graph of states and transitions, in contrast to the known approaches, allows estimation of reliability and safety indexes, that makes the impact of maintenance strategies on safety and reliability, impact of the fault tolerance on safety to be considered. This will increase the accuracy (certainty) of efficiency indexes estimation of complex technical systems for critical application. 2. Minimal cut sets obtaining on the basis of the graph of states and transitions allows taking into account the interrelations of accidents directly from the analysis of system states for identification weaknesses. It gives only reasonable means for providing fault tolerance that reasonably reduces the cost of improving the system. 3. Using binary structural-automatic model allows automated obtaining of split critical failure state and reducing time costs for building the graph of states and transitions. 4. Risk reduction factor was introduced for quantitatively assess of the efficiency of improving safety by improving reliability by introducing redundancy in critical elements of complex technical systems for critical application. 5. Fault tree building from the graph of states and transitions basing on minimal cut sets takes into account the behavior of complex system that is not available when using static and dynamic fault trees 6. The combination of binary structural-automatic model and method of automated constructing of graph of states and transitions basing on reliability block diagram makes it possible to automate the procedure of building structural-automatic model of fault-tolerant renewable complex technical systems for critical application and reduce time costs by more than degree. 15. Mandziy B. A., Ozirkovskyi L.D.: Automation Of Building Reliability Models Of Redundant Restorable Complex Technical Systems. Eastern-European Journal of Enterprise Technology, № 4 (62), 2, 44-49 (2013) (in Ukrainian) 16. Volochiу B.Yu., Ozirkovskyi L.D., Mashchak A.V., Shkiliuk O.P.: Fault Tree Build Automation for Safety Estimation of Complex Technical System. In: Proc. of ІV International conference “Physical and Technological Problems of Wireless Devices, Telecommunications, Nano-and Microelectronics PREDT-2014”, pp. 102-103 (2014) (in Ukrainian)